Solved: Another Problem with Configuring Cisco VPN Client to Site2site V

nealbrothers · ‎06-04-2013

We have a Cisco ASA 5505 at our CORP location, which I have configured the Site2Site VPN to our COLO with a Juniper SRX220h, the site to site works fine, but when users access the Cisco VPN client from home, they cant ping or SSH through the Site2Site. Contacted JTAC and they said its not on their end, so I tried to contact Cisco TAC, no support. So here I am today, after for the 3 days (including Friday last week) of searching the Internet for over 6hrs a day, and trying different examples of other users. NO LUCK. The VPN client show the secured route to 10.1.0.0

Sorry to post this but I am getting frustrated and Boss is breathing down my neck to complete this.

CORP netowrk 192.168.1.0

VPN IP pool 192.168.12.0

Colo internal ip 10.1.0.0

Also here is an example of my ASA config

: Saved

:

ASA Version 8.2(1)

!

hostname lwchsasa

names

name 10.1.0.1 colo

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

backup interface Vlan12

nameif outside_pri

security-level 0

ip address 64.20.30.170 255.255.255.248

!

interface Vlan12

nameif backup

security-level 0

ip address 173.165.159.241 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 12

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network NY

network-object 192.168.100.0 255.255.255.0

object-group service BSRO-3387 tcp

port-object eq 3387

object-group service BSRO-3388 tcp

port-object eq 3388

object-group service BSRO-3389 tcp

port-object eq 3389

object-group service OpenAtrium tcp

port-object eq 8100

object-group service Proxy tcp

port-object eq 982

object-group service VOIP10K-20K udp

port-object range 10000 20000

object-group network clientvpn

network-object 192.168.12.0 255.255.255.0

object-group service APEX-SSL tcp

description Apex Secure Dashboard Service

port-object eq 8586

object-group network CHS-Colo

network-object 10.1.0.0 255.255.255.0

object-group network DM_INLINE_NETWORK_1

network-object 192.168.1.0 255.255.255.0

network-object host 64.20.30.170

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object icmp

service-object icmp traceroute

service-object tcp-udp eq www

service-object tcp eq ftp

service-object tcp eq ftp-data

service-object tcp eq sqlnet

service-object tcp eq ssh

service-object udp eq www

service-object udp eq tftp

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object icmp

service-object tcp eq ssh

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group clientvpn

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group NY

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group CHS-Colo

access-list inside_nat0_outbound extended permit ip any 192.168.12.0 255.255.255.0

access-list outside_pri_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group NY

access-list outside_pri_access_in extended permit tcp any interface outside_pri eq www

access-list outside_pri_access_in extended permit tcp any interface outside_pri eq https

access-list outside_pri_access_in extended permit tcp any interface outside_pri eq 8100

access-list outside_pri_access_in extended permit tcp any interface outside_pri eq ssh inactive

access-list outside_pri_access_in extended permit icmp any any echo-reply

access-list outside_pri_access_in extended permit icmp any any source-quench

access-list outside_pri_access_in extended permit icmp any any unreachable

access-list outside_pri_access_in extended permit icmp any any time-exceeded

access-list outside_pri_access_in extended permit tcp any 64.20.30.168 255.255.255.248 eq 8586

access-list levelwingVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list levelwingVPN_splitTunnelAcl standard permit 10.1.0.0 255.255.255.0

access-list outside_pri_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group CHS-Colo

access-list backup_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.12.0 255.255.255.0

access-list outside_pri_cryptomap_1 extended permit object-group DM_INLINE_SERVICE_2 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0

access-list outside_19_cryptomap extended permit ip 192.168.12.0 255.255.255.0 10.1.0.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 object-group CHS-Colo

access-list VPN-Corp-Colo extended permit object-group DM_INLINE_SERVICE_1 192.168.12.0 255.255.255.0 10.1.0.0 255.255.255.0

access-list OUTSIDE-NAT0 remark NAT0 for VPN Client to Remote Site

access-list OUTSIDE-NAT0 extended permit ip 192.168.12.0 255.255.255.0 10.1.0.0 255.255.255.0

access-list L2LVPN extended permit ip 192.168.12.0 255.255.255.0 10.1.0.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

logging asdm warnings

logging rate-limit unlimited level 4

flow-export destination inside 192.168.1.1 2055

flow-export template timeout-rate 1

mtu inside 1500

mtu outside_pri 1500

mtu backup 1500

ip local pool LVCHSVPN 192.168.12.100-192.168.12.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 100 burst-size 5

icmp permit any inside

icmp permit any outside_pri

no asdm history enable

arp timeout 14400

nat-control

global (outside_pri) 1 interface

global (backup) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound_1 outside

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside_pri) 0 access-list OUTSIDE-NAT0

nat (backup) 0 access-list backup_nat0_outbound

static (inside,outside_pri) tcp interface https 192.168.1.45 https netmask 255.255.255.255 dns

static (inside,outside_pri) tcp interface www 192.168.1.45 www netmask 255.255.255.255 dns

static (inside,outside_pri) tcp interface 8586 192.168.1.45 8586 netmask 255.255.255.255 dns

static (inside,inside) tcp interface 8100 192.168.1.45 8100 netmask 255.255.255.255 dns

access-group outside_pri_access_in in interface outside_pri

route outside_pri 0.0.0.0 0.0.0.0 64.20.30.169 1 track 1

route backup 0.0.0.0 0.0.0.0 173.165.159.246 254

timeout xlate 3:00:00

timeout conn 0:00:00 half-closed 0:30:00 udp 1:00:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 1:00:00 absolute uauth 1:00:00 inactivity

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable 981

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside_pri

http 0.0.0.0 0.0.0.0 backup

snmp-server group Authentication_Only v3 auth

snmp-server host inside 192.168.1.47 poll community lwmedia version 2c

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection tcpmss 1200

sla monitor 123

type echo protocol ipIcmpEcho 216.59.44.220 interface outside_pri

sla monitor schedule 123 life forever start-time now

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set esp-3des-sha1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec df-bit clear-df outside_pri

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_pri_map 1 match address outside_pri_1_cryptomap

crypto map outside_pri_map 1 set pfs

crypto map outside_pri_map 1 set peer 50.75.217.246

crypto map outside_pri_map 1 set transform-set ESP-AES-256-MD5

crypto map outside_pri_map 2 match address outside_pri_cryptomap

crypto map outside_pri_map 2 set peer 216.59.44.220

crypto map outside_pri_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_pri_map 2 set security-association lifetime seconds 86400

crypto map outside_pri_map 3 match address outside_pri_cryptomap_1

crypto map outside_pri_map 3 set peer 216.59.44.220

crypto map outside_pri_map 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_pri_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_pri_map interface outside_pri

crypto isakmp identity address

crypto isakmp enable outside_pri

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption aes

hash md5

group 2

lifetime 86400

!

track 1 rtr 123 reachability

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside_pri

!

dhcpd address 192.168.1.51-192.168.1.245 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd lease 86400 interface inside

dhcpd domain LM interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics host number-of-rate 2

no threat-detection statistics tcp-intercept

webvpn

port 980

enable inside

enable outside_pri

svc enable

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy GroupPolicy2 internal

group-policy GroupPolicy2 attributes

vpn-tunnel-protocol IPSec svc

group-policy levelwingVPN internal

group-policy levelwingVPN attributes

vpn-tunnel-protocol IPSec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value levelwingVPN_splitTunnelAcl

username aard password Z74.JN3DGMNlP0H2 encrypted privilege 0

username aard attributes

vpn-group-policy levelwingVPN

service-type remote-access

username rcossentino password 4UpCXRA6T2ysRRdE encrypted

username rcossentino attributes

vpn-group-policy levelwingVPN

service-type remote-access

username bcherok password evwBWqKKwrlABAUp encrypted

username bcherok attributes

vpn-group-policy levelwingVPN

service-type remote-access

username rscott password nIOnWcZCACUWjgaP encrypted privilege 0

username rscott attributes

vpn-group-policy levelwingVPN

username sryan password 47u/nJvfm6kprQDs encrypted

username sryan attributes

vpn-group-policy levelwingVPN

service-type nas-prompt

username cbruch password a8R5NwL5Cz/LFzRm encrypted privilege 0

username cbruch attributes

vpn-group-policy levelwingVPN

service-type remote-access

username apellegrino password yy2aM21dV/11h7fR encrypted

username apellegrino attributes

vpn-group-policy levelwingVPN

service-type remote-access

username rtuttle password /79ROD7fRw5C4.l5 encrypted privilege 0

username rtuttle attributes

vpn-group-policy levelwingVPN

username levelwingadmin password vJFHerTwBy8dRiyW encrypted privilege 15

username nbrothers password CAjm/rm5PYhoysB5 encrypted privilege 0

username nbrothers attributes

vpn-group-policy levelwingVPN

username clong password z.yb0Oc09oP3/mXV encrypted

username clong attributes

vpn-group-policy levelwingVPN

service-type remote-access

username finance password 9TxE6jWN/Di4eZ8w encrypted privilege 0

username finance attributes

vpn-group-policy levelwingVPN

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

service-type remote-access

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive disable

tunnel-group 50.75.217.246 type ipsec-l2l

tunnel-group 50.75.217.246 ipsec-attributes

pre-shared-key *

isakmp keepalive disable

tunnel-group levelwingVPN type remote-access

tunnel-group levelwingVPN general-attributes

address-pool LVCHSVPN

default-group-policy levelwingVPN

tunnel-group levelwingVPN ipsec-attributes

pre-shared-key *

tunnel-group 216.59.44.221 type ipsec-l2l

tunnel-group 216.59.44.221 ipsec-attributes

pre-shared-key *

tunnel-group 216.59.44.220 type ipsec-l2l

tunnel-group 216.59.44.220 ipsec-attributes

pre-shared-key *

isakmp keepalive disable

!

policy-map global_policy

!

prompt hostname context

Cryptochecksum:ed7f4451c98151b759d24a7d4387935b

: end

Jouni Forss · ‎06-04-2013

Hi,

To me it seems you got most things covered.

You have however not "told" the L2L VPN configuration that traffic between the VPN Pool and the Colo network should be tunneled

access-list outside_pri_cryptomap extended permit ip 192.168.12.0 255.255.255.0 object-group CHS-Colo

Though naturally the remote end will also need the corresponding configurations for the VPN client users to be able to get traffic through to the Colo site.

- Jouni

View solution in original post

Jouni Forss · ‎06-04-2013

I wouldnt recommend setting the "conn timeout" value to 0

To my understanding that means you might have several connections hanging around your ASA permanently.

- Jouni

View solution in original post

nealbrothers · ‎06-04-2013

This is what I have done SO FAR

changed the COLO group policy, from GP2 to System Defualt

Changed Default L2L group keepalives to disabled

Configuration > Site-to-Site VPN > Advanced > Tunnel Groups

crypto ipsec df-bit clear-df outside

sysopt connection tcpmss 1200

configured NAT rules

exempt inside CHS=Colo INBOUND

timeout conn 0:0:0

added Acces rules

192.168.12.0-imcp

added VPN-COLO-Corp to ACL manager

same-security-traffic permit intra-interface

access-list OUTSIDE-NAT0 remark NAT0 for VPN Client to Remote Site

access-list OUTSIDE-NAT0 permit ip 192.168.12.0 255.255.255.0 10.1.0.0 255.255.255.0

nat (outside) 0 access-list OUTSIDE-NAT0

Jouni Forss · ‎06-04-2013

Hi,

To me it seems you got most things covered.

You have however not "told" the L2L VPN configuration that traffic between the VPN Pool and the Colo network should be tunneled

access-list outside_pri_cryptomap extended permit ip 192.168.12.0 255.255.255.0 object-group CHS-Colo

Though naturally the remote end will also need the corresponding configurations for the VPN client users to be able to get traffic through to the Colo site.

- Jouni

Jouni Forss · ‎06-04-2013

I wouldnt recommend setting the "conn timeout" value to 0

To my understanding that means you might have several connections hanging around your ASA permanently.

- Jouni

nealbrothers · ‎06-04-2013

Well looks like everything is Ok with ASA, now back to JTAC, thank you for your quick support!!!!

Jouni Forss · ‎06-04-2013

Hi,

I meant that you didnt seem to have the ACL mentioned in my post

You seemed to have the ACL line that defines that traffic from your LAN 192.168.1.0/24 would get forwarded to the remote site BUT there was no ACL rule mentioning the network 192.168.12.0/24 in the same L2L VPN crypto ACL.

- Jouni

Jouni Forss · ‎06-04-2013

Getting abit more confusing.

You have 2 L2L VPN configurations with the same peer IP address for the remote VPN device.

They are also supposed to tunnel traffic to the same network

access-list outside_pri_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group CHS-Colo

access-list outside_pri_cryptomap_1 extended permit object-group DM_INLINE_SERVICE_2 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0

crypto map outside_pri_map 2 set peer 216.59.44.220

crypto map outside_pri_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_pri_map 2 set security-association lifetime seconds 86400

crypto map outside_pri_map 3 match address outside_pri_cryptomap_1

crypto map outside_pri_map 3 set peer 216.59.44.220

crypto map outside_pri_map 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

Seems to me that there are some configurations that are probably not needed.

- Jouni

nealbrothers · ‎06-04-2013

Ok those lines have been removed, yeah I started with company after everything was setup, so their are probably more duplicates issues like this in the config file, sorry

nealbrothers · ‎06-05-2013

removing the lines below dropped the Site2Site

access-list outside_pri_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group CHS-Colo

access-list outside_pri_cryptomap_1 extended permit object-group DM_INLINE_SERVICE_2 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0

Jouni Forss · ‎06-05-2013

Hi,

I didnt mean that they should be both removed.

I just stated that there are 2 almost identical L2L VPN configurations. Both connections have the same source and destination network and the same L2L VPN peer IP address. So one of them is not needed.

The key thing you were missing from the L2L VPN configuration was the ACL rule that tells the L2L VPN to tunnel the traffic from the VPN Client pool to the remote network behind the L2L VPN

If the below is the L2L VPN configuration in question

crypto map outside_pri_map 2 match address outside_pri_cryptomap

crypto map outside_pri_map 2 set peer 216.59.44.220

crypto map outside_pri_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_pri_map 2 set security-association lifetime seconds 8640

Then you needed this ACL rule in addition to the whats already configured in the ACL

access-list outside_pri_cryptomap extended permit ip 192.168.12.0 255.255.255.0 object-group CHS-Colo

This ofcourse presumes that the remote end has also made additions to their side that permits the traffic from the VPN Pool network to be tunneled to their site.

There is the command I provided before that should confirm if the L2L VPN portion is ok while you are having a continuous PING going from the VPN Client to the remote site network. (The "show crypto ipsec sa peer 216.59.44.220" command)

- Jouni

nealbrothers · ‎06-04-2013

Ok well tried your command, wasn't able to ping to any of the 3 host on the 10.1.0.0/24 network

Jouni Forss · ‎06-04-2013

Hi,

Have your VPN client connection active and have a continuous ICMP going to the remote destination IP address

Then take the output of the command

show crypto ipsec sa peer 216.59.44.220

And share that here

- Jouni

nealbrothers · ‎06-04-2013

Ok gonna have to try this in the Morning got meetings the rest of day! Thanks again, I keep you posted

nealbrothers · ‎06-05-2013

Result of the command: "show crypto ipsec sa peer 216.59.44.220"

peer address: 216.59.44.220

Crypto map tag: outside_pri_map, seq num: 2, local addr: 64.20.30.170

access-list outside_pri_cryptomap permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)

current_peer: 216.59.44.220

#pkts encaps: 11653, #pkts encrypt: 11653, #pkts digest: 11653

#pkts decaps: 17264, #pkts decrypt: 17264, #pkts verify: 17264

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 11653, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 64.20.30.170, remote crypto endpt.: 216.59.44.220

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 6A722329

inbound esp sas:

spi: 0x6B8AAF3A (1804250938)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 8654848, crypto-map: outside_pri_map

sa timing: remaining key lifetime (sec): 80108

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFBFDF 0xFFFFFFFF

outbound esp sas:

spi: 0x6A722329 (1785865001)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 8654848, crypto-map: outside_pri_map

sa timing: remaining key lifetime (sec): 80108

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

nealbrothers · ‎06-05-2013

Here on the Debugging results from ASA

4|Jun 05 2013|06:10:51|106023|99.174.121.14|54463|64.20.30.170|20698|Deny tcp src outside_pri:99.174.121.14/54463 dst inside:64.20.30.170/20698 by access-group "outside_pri_access_in" [0x0, 0x0]

4|Jun 05 2013|06:10:50|106023|99.174.121.14|54463|64.20.30.170|20698|Deny tcp src outside_pri:99.174.121.14/54463 dst inside:64.20.30.170/20698 by access-group "outside_pri_access_in" [0x0, 0x0]

4|Jun 05 2013|06:10:50|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 17 per second, max configured rate is 10; Current average rate is 18 per second, max configured rate is 5; Cumulative total count is 10930

4|Jun 05 2013|06:10:49|106023|99.174.121.14|54463|64.20.30.170|20698|Deny tcp src outside_pri:99.174.121.14/54463 dst inside:64.20.30.170/20698 by access-group "outside_pri_access_in" [0x0, 0x0]

4|Jun 05 2013|06:10:48|106023|99.174.121.14|54463|64.20.30.170|20698|Deny tcp src outside_pri:99.174.121.14/54463 dst inside:64.20.30.170/20698 by access-group "outside_pri_access_in" [0x0, 0x0]

4|Jun 05 2013|06:10:47|106023|99.174.121.14|54463|64.20.30.170|20698|Deny tcp src outside_pri:99.174.121.14/54463 dst inside:64.20.30.170/20698 by access-group "outside_pri_access_in" [0x0, 0x0]

4|Jun 05 2013|06:10:46|106023|99.174.121.14|54463|64.20.30.170|20698|Deny tcp src outside_pri:99.174.121.14/54463 dst inside:64.20.30.170/20698 by access-group "outside_pri_access_in" [0x0, 0x0]

3|Jun 05 2013|06:10:37|713902|||||Group = 216.59.44.220, IP = 216.59.44.220, Removing peer from correlator table failed, no match!

1|Jun 05 2013|06:10:37|713900|||||Group = 216.59.44.220, IP = 216.59.44.220, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

3|Jun 05 2013|06:10:37|713902|||||Group = 216.59.44.220, IP = 216.59.44.220, QM FSM error (P2 struct &0xccc63ee8, mess id 0x124bf8bb)!

4|Jun 05 2013|06:10:30|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 13 per second, max configured rate is 10; Current average rate is 18 per second, max configured rate is 5; Cumulative total count is 11187

2|Jun 05 2013|06:10:29|106017|192.168.1.1||192.168.1.1||Deny IP due to Land Attack from 192.168.1.1 to 192.168.1.1

4|Jun 05 2013|06:10:19|106023|146.85.238.61|61323|64.20.30.170|20698|Deny tcp src outside_pri:146.85.238.61/61323 dst inside:64.20.30.170/20698 by access-group "outside_pri_access_in" [0x0, 0x0]

4|Jun 05 2013|06:10:13|106023|146.85.238.61|61323|64.20.30.170|20698|Deny tcp src outside_pri:146.85.238.61/61323 dst inside:64.20.30.170/20698 by access-group "outside_pri_access_in" [0x0, 0x0]

4|Jun 05 2013|06:10:10|106023|146.85.238.61|61323|64.20.30.170|20698|Deny tcp src outside_pri:146.85.238.61/61323 dst inside:64.20.30.170/20698 by access-group "outside_pri_access_in" [0x0, 0x0]

4|Jun 05 2013|06:10:10|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 14 per second, max configured rate is 10; Current average rate is 18 per second, max configured rate is 5; Cumulative total count is 11358

3|Jun 05 2013|06:10:03|713902|||||Group = 216.59.44.220, IP = 216.59.44.220, Removing peer from correlator table failed, no match!

1|Jun 05 2013|06:10:03|713900|||||Group = 216.59.44.220, IP = 216.59.44.220, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

3|Jun 05 2013|06:10:03|713902|||||Group = 216.59.44.220, IP = 216.59.44.220, QM FSM error (P2 struct &0xccc63ee8, mess id 0xa745d7b5)!

Another Problem with Configuring Cisco VPN Client to Site2site VPN access